Re: [Ace] [Secdispatch] EDHOC

Bret Jordan <jordan.ietf@gmail.com> Tue, 12 February 2019 01:42 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648F51276D0; Mon, 11 Feb 2019 17:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zc_T5Z_JDra; Mon, 11 Feb 2019 17:42:21 -0800 (PST)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD52F1293B1; Mon, 11 Feb 2019 17:42:20 -0800 (PST)
Received: by mail-yw1-xc31.google.com with SMTP id 189so402509ywi.3; Mon, 11 Feb 2019 17:42:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=82t6pxcaeWl42N4kSf7iu5CjG8Nq+cqA0Qzk/WvV5dM=; b=saQyEY3nmJxStOb72tiuScVBqsYFgxM+ophIGMnGqvVv6TA0s2ZmwKp+Km6xyLLmIQ UWHm1XyC2XFt4S+NUPWilnxZuvGKqIATLNlTWt//7/moa6co9Y4nPuW0Zioz39CfX3HS OCST+Xv3/47Rl/h2tvMENwIJ/6qETCYyjd866jbCM8r7KCVvoRohwfEWcJ2BzsKGVnPH C1Q2u+Uyyx9OP2XuxN8X0v1jdR0utIe8VxtnFE8aJRC9wJXHzU4EKnfaeU0YRw8jH1v6 7m2/0k13sNb25hu1ZRP5LaLJ/9pPl+gQrdnUj+CNyXFgGQXxRWwXCG/crgUgC+huIVVb X09w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=82t6pxcaeWl42N4kSf7iu5CjG8Nq+cqA0Qzk/WvV5dM=; b=NHDubWPCbh0/6ppBtFIup151BMUQR+maHDgZordj+nQZLDzYzLYpZ5uAi1biZaDBeL RWZQ8z5BmC3PayfqfxAWLOjbACLG87zlJJVr1QP9c3tnlKntRB+EhS0fdGy6AaQN4wOY LBD4xMrZO8bbQ6kUv30VlYES3CWP56PBhT2sU1IxJIW+MF6wOVRwknOlpPx1C9kjeZ5p 4f68AGnigp4MPabsdpBRjZBorl8JNrRCqtCLWTbImk48XODVW0PrQ5QXnJp4tUNs3xGc unWU56965/eHKqbI/mQpZ3zFiu8t9JVmu2C1IOpRZBtso3lBXKF/E2RG4ywScM9LbcZq xFjw==
X-Gm-Message-State: AHQUAuZZ9/CPOb8bNtf/zGsIWJOuA35zbrLDnuhHBygP4WnTMqCwMx0y vihplWgEOrYw4IneNaFw2j8=
X-Google-Smtp-Source: AHgI3Ia0wrBogjJgU1bzgdB9fCsvPhYRlemgb/eNNX0xHPiZDeUH6vdjCIltwr+fRARtHqbilmPCMQ==
X-Received: by 2002:a81:8147:: with SMTP id r68mr874439ywf.89.1549935740059; Mon, 11 Feb 2019 17:42:20 -0800 (PST)
Received: from ?IPv6:2605:a601:a028:986:ddbc:c9d:3ba3:3cbb? ([2605:a601:a028:986:ddbc:c9d:3ba3:3cbb]) by smtp.gmail.com with ESMTPSA id 77sm4356726ywr.19.2019.02.11.17.42.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 17:42:19 -0800 (PST)
From: Bret Jordan <jordan.ietf@gmail.com>
Message-Id: <59F7FFB0-4158-4EC4-9A5B-1EBE41AF3CE4@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BA9F15D0-17A4-4B91-B5B3-F1B823B8A0A3"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 11 Feb 2019 18:42:14 -0700
In-Reply-To: <284CB223-291D-45EF-A2B7-D49BE876AF94@gmail.com>
Cc: Roman Danyliw <rdd@cert.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Richard Barnes <rlb@ipv.sx>, "ace@ietf.org" <ace@ietf.org>, =?utf-8?Q?G=C3=B6ran_Selander?= <goran.selander@ericsson.com>, Francesca Palombini <francesca.palombini@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <D629D980-C059-474F-B259-2700F2EEAE41@ericsson.com> <79FD6563-8ADA-4D73-B8D5-C3D70604CD76@gmail.com> <F72354EF-2FB7-41C0-BCA1-6D4511A410B2@ericsson.com> <47F03C99-68C1-4ADB-873D-F01987D66849@ipv.sx> <20190118172714.GJ81907@kduck.mit.edu> <359EC4B99E040048A7131E0F4E113AFC0185795C45@marathon> <CAL02cgQgoxrxzBHk9pCvWwg8n91gpfK=4kReGfFfb=Av8=CoCw@mail.gmail.com> <05C8AB73-EFD1-4AC8-A795-D3624153F4D2@ericsson.com> <CAHbuEH4JpZV9TeCFjv89oCeQLD21rPdkbjKeLnRPG1V07VCRBQ@mail.gmail.com> <CAHbuEH6MpTowqTFmFejr0xi6a8+SarHjfifMHjP=Vf+if49RXQ@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01857BE125@marathon> <284CB223-291D-45EF-A2B7-D49BE876AF94@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wome7NcRqKDftdrZHjn-YkoEfRk>
Subject: Re: [Ace] [Secdispatch] EDHOC
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 01:42:25 -0000

Yes, doing anything during the week of RSA is a significant challenge. 


Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Feb 11, 2019, at 5:29 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> If I’m reading it correctly, it looks like I will be speaking at RSA during that time slot.  Can the recording be posted?  It’s a tough week for anyone attending, so I suspect attendance will be impacted.
> 
> Thank you,
> Kathleen 
> 
> Sent from my mobile device
> 
> On Feb 11, 2019, at 6:13 PM, Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> wrote:
> 
>> Hi Kathleen!
>>  
>> Yes.  A doodle poll to determine the most agreeable time the week of March 4 was just sent:
>>  
>> https://mailarchive.ietf.org/arch/msg/secdispatch/KU3SWW_4UeJ9JMH9abmzaKeXXgc <https://mailarchive.ietf.org/arch/msg/secdispatch/KU3SWW_4UeJ9JMH9abmzaKeXXgc>
>>  
>> Roman
>>  
>>  
>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>] 
>> Sent: Monday, February 04, 2019 12:30 PM
>> To: Göran Selander <goran.selander@ericsson.com <mailto:goran.selander@ericsson..com>>
>> Cc: Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>>; Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>>; John Mattsson <john.mattsson@ericsson.com <mailto:john.mattsson@ericsson.com>>; secdispatch@ietf.org <mailto:secdispatch@ietf.org>; Francesca Palombini <francesca.palombini@ericsson.com <mailto:francesca.palombini@ericsson.com>>; ace@ietf.org <mailto:ace@ietf.org>
>> Subject: Re: [Ace] [Secdispatch] EDHOC
>>  
>> Will there be an interim for this topic?  
>>  
>> Thank you,
>> Kathleen
>>  
>> On Thu, Jan 24, 2019 at 2:15 PM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
>> Thanks for the very helpful message, Goran.  A couple of comments inline.
>>  
>> On Thu, Jan 24, 2019 at 11:31 AM Göran Selander <goran.selander@ericsson.com <mailto:goran.selander@ericsson.com>> wrote:
>> Hi Richard, Roman, all
>>  
>> Thanks for kind welcome and for progressing the discussion. Apologies for a long email.
>> 
>>  
>> From: Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>>
>> 
>>  
>> Summing up where I believe the conversation stands now, it seems like what folks are asking for is either:
>>  
>> 1..      An analysis that shows that EDHOC is equivalent to an existing AKE (e.g., IKE or TLS), or
>>  
>> 2. An argument that a new AKE is necessary (vs. a re-encoding of an existing AKE)
>>  
>> Göran et al: Do you have thoughts on those points?
>>  
>> Yes. I’ll get back to this later in this email.
>>  
>> It seems like it could be a productive use of an hour or two of virtual interim time to help the group understand one of those lines of argument.
>>  
>> Agree.
>>  
>> Anything to prevent further hold ups on this work would be appreciated.
>>  
>>  
>> --Richard
>>  
>> As requested in a previous email, here is a background.
>> 
>>  
>> 
>> The work on EDHOC is motivated by the need for an authentication and key exchange protocol for OSCORE (draft-ietf-core-object-security) optimized for constrained-node networks (RFC 7228). OSCORE is applied within the IETF, e.g. in 6TiSCH minimal security (draft-ietf-6tisch-minimal-security), but also requested by other SDOs and industry fora such as OMA Specworks, Open Connectivity Foundation and Fairhair Alliance. The properties of OSCORE motivating its use include: support for CoAP forward proxies, support for change of underlying transports including non-IP, low overhead, low additional footprint and memory to existing CoAP implementations, support for multicast security, security for end-to-end REST. 
>> 
>>  
>> 
>> Given the large interest in OSCORE already before it has become an RFC we anticipate a wide range of deployments. For example, we see an interest for OSCORE in Cellular IoT with traffic running over the cellular air interface control channel, where we can have end-to-end CoAP, but not necessarily end-to-end IP between an application server and a cellular device. Or between an application server and a device behind a cellular gateway. Comparing just these two cases, the difference in capabilities of the devices can be significant which makes it difficult to point at some sort of “reference devices” for benchmarking.
>> 
>>  
>> 
>> In order to support the low end use cases the AKE must be performant in low bandwidth deployments with battery powered devices restricted in RAM and ROM. Message sizes and round trips have a direct impact on latency, power consumption and battery lifetime, and can be calculated which is the reason for this being a commonly used metric. While it may be more difficult to compare memory and storage requirements, the ability to reuse existing code is an important indication. If a device can support a CoAP stack (in the sense of memory and flash, etc) it is expected to also be able to support OSCORE. Similarly, it is desirable that a device with CoAP and OSCORE implemented should be able to support an additional AKE. Considering that EDHOC reuses CBOR and COSE primitives from OSCORE the additional code for EDHOC can be very limited.
>> 
>>  
>> 
>> From a security point of view OSCORE requires that the endpoints have agreed on a Master Secret with a good amount of randomness, and each other’s Sender IDs, and those must be different for a given Master Secret.
>> 
>>  
>> 
>> Now returning to the questions.
>> 
>>  
>> 1..      An analysis that shows that EDHOC is equivalent to an existing AKE (e.g., IKE or TLS)
>>  
>> Considering EDHOC is a new protocol it should be thoroughly analysed and verified against all currently known issues of AKEs. Roman sent a mail to the secdispatch list referencing a paper presented at SSR 2018 which could be used as a starting point. How do folks want to digest this: Do they want to study the model themselves or should we ask the authors if they could present their work at the interim? 
>> 
>>  
>> 2. An argument that a new AKE is necessary (vs. a re-encoding of an existing AKE)
>>  
>> 
>> We have done this comparison with TLS/DTLS for some time now, and what once seemed like a reasonable question has turned out to be never ending exercise. I do not want to get into IETF archeology but for those who have not followed the discussion some data points could be relevant.
>> 
>>  
>> 
>> Not long ago, the design of security protocols did not take into account constrained IoT devices. With OSCORE we showed that the message overhead could be reduced by a factor 3 compared to DTLS 1..2 records. Before this comparison it was believed that the record layer was performing well, then the difference in overhead was characterized as insignificant, and then finally a compact format was designed for DTLS 1.3.
>> 
>>  
>> 
>> With EDHOC we showed that the message overhead of the key exchange can be reduced with up to a factor 4 compared to the current version of DTLS 1.3 (see Appendix E in EDHOC). Before this exercise it was believed that the TLS/DTLS handshake was performing well, then the difference in overhead was characterized as insignificant, and now the discussion has shifted to downsizing the TLS handshake or other protocol.
>> 
>>  
>> 
>> We are not against optimizations to the TLS handshake, just as we welcome the more optimal DTLS 1.3 records. But TLS was not designed to be an AKE for OSCORE optimized for constrained environments.. As I remember, optimizing for message overhead was an explicit non-requirement of TLS 1.3. Reverting those design decisions seems like the wrong way to go: One reason to use TLS would be to reuse an existing implementation. But existing TLS implementation would most likely not compare favorably in terms of code size and RAM. Adding code for compression or re-encoding of the messages would add to that. Re-specifying the protocol with the new encoding may require a new formal verification. To make a more compact code and processing may involve two incompatible message formats of TLS depending on what is being signed. New implementations would be needed.
>> 
>>  
>> 
>> We think we have done our part of the comparison exercise and that the burden of proof should now be reversed. Could we ask those that claim to have a more performant key exchange protocol for OSCORE and are prepared to do the work to make that plausible and provide the numbers? To be clear: if there is another key exchange protocol suitable for OSCORE which outperforms EDHOC in constrained characteristics and then we are very interested.
>>  
>> I agree with Goran that they have jumped through enough hoops at this point.  However, if alternatives come forward, understanding their timelines is also critical as not to hold up this work for any substantial amount of time. 
>>  
>>  
>> And again, with the statements in this mail we neither want to belittle the considerable effort made on formal verification, nor claim that DTLS is not fit for IoT deployments. It is an important hammer in our IoT security toolbox, but at the moment we don’t need a hammer.
>>  
>> The class of IoT device seems to be the critical point here and having one protocol that can meet all needs is a nice goal, but not realistic from the comparison numbers provided and the varying requirements in the IoT space.
>>  
>> Best regards,
>> Kathleen
>>  
>>  
>>  
>> 
>> Göran
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>>  
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org <mailto:Ace@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
>> 
>>  
>> -- 
>>  
>> Best regards,
>> Kathleen
>> 
>>  
>> -- 
>>  
>> Best regards,
>> Kathleen
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch